How To Build a Security Culture You Can Be Proud Of
If you’ve ever been to Nashville, Tennessee, you know how humid it can get during the summers. That humidity not only has an effect on the people but can also affect our offices and homes. One summer at our Nashville office, the excess moisture in the air caused our doorframes to swell, making it difficult to completely shut our doors that normally remain locked. This issue went unattended until our COO noticed and reported the problem.
It’s not in our COO’s job description to monitor the security of our offices, but when she saw a problem, she spoke up. Luckily, the issue was resolved quickly to prevent any security risks that may have resulted in our office not being fully locked. At KirkpatrickPrice, we’ve nurtured a security culture that encourages and expects all members of the company to care about security.
Is security a priority in your organization?
In the past, security may have been something you only had to think about once a year during a compliance audit, but as more threats arise and data breaches become more common and more expensive, security should be an ongoing, individual, and company-wide goal.
Security as Culture
In her presentation at the 2022 Information Systems Audit and Control Association (ISACA) conference, Melissa Bischoping, an Endpoint Security Researcher at Tanium, discussed the importance of creating a security culture within an organization. Creating a company culture around security is all about the people.
For an organization to successfully implement this type of culture, it needs to start at the top. When security is considered a corporate goal, all members of the organization are more likely to adopt security best practices in their daily routines. An organization’s security culture should consider human behavior and motivations that support technical improvements.
As tempting as it is to want to have a finishing line in your security journey, Bischoping encourages organizations to avoid compliance as the outcome. Compliance does not equal security. Security is an ongoing, perpetual effort. Holistic security must be the goal. Instead of looking at compliance as an outcome, think of compliance as a validation of your continuous security efforts.
Foundations of Security Culture within an Organization
Now that we know the importance of a security culture within an organization, what are the elements of actually creating this culture?
- Mission & Vision— Establish a security culture that aligns with corporate goals.
- Security Champions—Your security culture should be present across teams and all levels of the company. Security feedback from the field should be valued and incorporated into various processes.
- Ease of Access—Security shouldn’t be difficult to uphold. Members of the organization should be aware of security policies and goals, how to report and respond to issues, and how to understand when systems aren’t working as they should.
- Campaigns—Create internal campaigns that focus on employee awareness of how to uphold security best practices within an organization and build trust.
- Desired Outcomes—Make sure desired outcomes involving your organization’s security culture are clearly defined, regularly measured, and celebrated when achieved.
So, why can it be so difficult to create and maintain a security culture within your organization? Many times, there’s a disconnect between different aspects of an organization such as audit, compliance, SecOps, IT ops, operations, and the business. It’s important that everyone in the organization understands why you’re protecting what you’re protecting. Context matters.
Do all members of your organization know what words like Risk, Zero-Trust, Cloud, and ‘Cyber’ mean? Is the only thing stopping a risky behavior just a piece of paper with the word “Policy” at the top? Policy does not equal security. A lack of understanding is the biggest problem standing between your organization and a strong security culture. So, how do we solve this issue?
While there are many ways to cultivate a security culture within your organization, these three steps will help you get started. The first step to creating culture is action. Start enforcing policies, preforming risk assessments, creating an incident response plan, and performing compliance audits. Communicate these actions to the entire company so security efforts are top of mind as a priority among your employees. Actions will lead to results like compliance and accreditation, improving your KPIs, and ROI. Results will lead to culture.
Another step in achieving culture is cross-organizational collaboration. Build an advisory board within your organization. Make the improvement of your cybersecurity practices a rewarding opportunity by including people across your organizational structure. By gathering a diverse group of individuals on a cybersecurity collaboration committee, you’ll receive valuable feedback on how your organization can improve its security, facilitate two-way conversations about security, and build trust throughout your organization.
One final step to creating a security culture within your organization is to start thinking like a hacker. Hackers are creative, but that leaves room for innovation within your organization. Look for ways you can harden your environment against threat actors’ attack paths. Penetration testing is a great way to stay proactive and illuminate ways hackers might gain access to your organization’s valuable data.
Making Sure Your Efforts Don’t Go to Waste
Bischoping encouraged her audience to keep security culture healthy by following these steps:
- Prioritize visibility and patching.
- Never assume your security efforts are working. Instead, continuously validate.
- Invest in the root cause analysis of failures.
Creating a security culture is about changing the hearts and minds of everyone involved to make sure your organization is staying ahead of inevitable threats. Everyone within your organization should be aware of the efforts you’re making to achieve a company-wide security mindset. Communicate desired changes and conduct security awareness training to reinforce the importance of security within your organization. When security is at the forefront of everyone’s mind, you’ll begin to see changes in your company’s threat management and security posture.
Become a Security Champion
The days of only thinking about security when your yearly SOC 1 or SOC 2 audit rolls around are over. By maintaining your security efforts throughout the year, you’re sure to become security champions.
Here at KirkpatrickPrice, we offer many ways to help you create a strong security culture.
- Are you conducting an annual penetration test?
- Should you be performing monthly or even daily scans of your cloud environment?
- Are you sure your risk assessment process is sufficient for your organization’s needs?
We would love to help you with all of your security needs. To learn more about how you can become a security champion, connect with a KirkpatrickPrice Security expert today!